Sign in with
Sign up | Sign in
Your question

Found registry entry called secrets Need some advice..

Tags:
  • Registry
Last response: in Opinions and Experiences
Share
April 23, 2014 3:01:27 PM

I found a wired registry entry call "secrets" any clues on what it is or what to do about it. Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets]
@=hex(0):

[HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DefaultPassword]
@=hex(4):

[HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DefaultPassword\CupdTime]
@=hex(0):a7,d3,6c,ec,e4,11,cf,01

[HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DefaultPassword\CurrVal]
@=hex(0):00,00,00,01,bc,2e,a0,0b,be,d3,30,2a,b5,c3,c1,f4,63,b5,0e,09,03,00,00,\
00,00,00,00,00,45,97,78,2e,ac,03,be,00,ca,d8,db,3f,7d,ab,1b,1f,74,11,ee,a1,\
76,f1,0b,14,74,1b,54,16,a3,c3,0e,a0,ef,46,8e,aa,49,5b,a6,b4,d3,9e,09,2b,fe,\
11,20,cb,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DefaultPassword\OldVal]
@=hex(0):00,00,00,01,bc,2e,a0,0b,be,d3,30,2a,b5,c3,c1,f4,63,b5,0e,09,03,00,00,\
00,00,00,00,00,59,ce,e6,d0,ea,a8,98,28,85,81,3d,f4,f4,a4,3f,c8,01,ee,c2,f5,\
e1,81,d5,47,d5,79,b9,8c,92,60,85,ea,53,08,d7,c8,d0,0a,fb,bd,16,22,cb,38,ed,\
ae,c4,a6,af,53,57,89,a8,6f,61,4b,f1,6b,cf,c8,18,27,f6,ba,96,4b,c7,9b,94,5d,\
dd,fd,62,db,7d,04,80,2c,b2,7e

[HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DefaultPassword\OupdTime]
@=hex(0):40,2c,81,5c,e1,11,cf,01

[HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DefaultPassword\SecDesc]
@=hex(0):01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,14,00,00,00,02,00,34,\
00,02,00,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,00,00,02,00,01,01,00,00,00,00,00,01,00,00,00,00,01,\
02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,01,00,00,00,00,00,05,12,00,\
00,00

[HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DPAPI_SYSTEM]
@=hex(4):

[HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DPAPI_SYSTEM\CupdTime]
@=hex(0):78,f8,40,8e,e0,11,cf,01

[HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DPAPI_SYSTEM\CurrVal]
@=hex(0):00,00,00,01,bc,2e,a0,0b,be,d3,30,2a,b5,c3,c1,f4,63,b5,0e,09,03,00,00,\
00,00,00,00,00,cf,4a,30,38,25,e8,fd,9e,ff,23,d5,3a,93,4a,38,77,80,0f,5c,42,\
f5,18,ab,c8,26,d4,f5,ac,70,a0,c4,54,d1,37,19,71,95,ac,2c,ca,5a,73,93,f6,d9,\
a3,22,09,f8,9a,71,1b,75,db,d7,dc,58,37,bc,2c,21,ee,3b,69,1f,f9,45,57,91,af,\
dc,b6,5a,98,0d,8a,24,d2,94,55,6f,5d,25,6d,3e,56,8a,f5,7c,80,e8,bf,40,10,28,\
a5

[HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DPAPI_SYSTEM\OldVal]
@=hex(0):00,00,00,01,bc,2e,a0,0b,be,d3,30,2a,b5,c3,c1,f4,63,b5,0e,09,03,00,00,\
00,00,00,00,00,da,12,38,ba,17,ae,6d,58,85,29,62,2f,30,d3,2c,23,96,dc,4a,72,\
a6,46,bf,33,1c,61,60,f9,1c,dc,34,03,18,a2,76,25,07,02,ac,b0,c6,13,cb,e4,2e,\
12,dc,f0,6f,3c,2b,41,42,c1,61,a7,9a,c0,51,35,43,b1,4a,9a,55,08,35,bb,1e,24,\
c2,55,4f,ac,6a,fd,1f,01,d1,73,0c,18,53,1e,7e,1b,4e,01,e8,cb,c4,9f,8c,cd,bc,\
82

[HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DPAPI_SYSTEM\OupdTime]
@=hex(0):D e,e8,f8,d5,25,89,cb,01

[HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets\DPAPI_SYSTEM\SecDesc]
@=hex(0):01,00,04,80,48,00,00,00,58,00,00,00,00,00,00,00,14,00,00,00,02,00,34,\
00,02,00,00,00,00,00,18,00,03,00,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,00,00,02,00,01,01,00,00,00,00,00,01,00,00,00,00,01,\
02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,01,00,00,00,00,00,05,12,00,\
00,00

More about : found registry entry called secrets advice

April 23, 2014 3:51:54 PM

Looks like the Banker trojan to me. Grats!
m
0
l
!